| Age | Commit message (Collapse) | Author |
|---|
|
ok deraadt@ tedu@
|
|
- Unicast packets sent to any local address will have their interface
set to loobpack.
- In order to differentiate traffic from interfaces having identical
link-local addresses, provide the scoped addresses to pf(4).
- Update the icmp6 state lookup logic to match scoped MLL addresses.
- Remove a shortcut in ip6_input() that bypasses pf and always look
for an RTF_LOCAL route.
Packets sent to multicast addresses still retain their original
interface due to the fact that local multicast packet delivering
does not use if_output.
This makes ping6 to link-local addresses work even with pf enabled
and "set skip" on loopbacks, reported by Pieter Verberne.
Debugged, analysed and tested with mikeb@.
ok mikeb@, henning@, sthen@
|
|
so use the safer function. can be converted back to memcpy if necessary,
but later and only after more careful inspection.
|
|
to include that than rdnvar.h. ok deraadt dlg
|
|
|
|
|
|
ok phessler@ tedu@
|
|
since we might have tweaked the addresses.
Problem reported and fix test by Bastien Durel <bastien at geekwu ! org>,
thanks! OK henning
|
|
types ICMP_ECHO and ICMP6_ECHO_REQUEST have their special meaning
only if the protocol matches.
Put an #ifdef INET6 around ICMP6_ECHO_REQUEST to make the kernel
without IPv6 compile.
OK henning@
|
|
understandable.
ok chris@
|
|
IP-traffic over a carp interface with the underlaying carpdev being unnumbered
(in the numbered case usually the ifp is the carpdev to begin with) went out
with the carpdev's mac address istead of the carp interface's one due to a
carp hack in ether_output exchanging the carp ifp for its carpdev ones one.
move the source mac selection to before that.
fixes unnumbered carp use in environments with strict mac address regimes
like some exchange points. issue found by your's truly the hard way.
ok mpi dlg
|
|
ok bluhm@ dlg@ florian@ mpi@
|
|
ok dlg@, uebayasi@, mikeb@
|
|
This change was defeating the code in rtrequest1(9) checking for route
entries with the same dst/gw when the same IP address was configured on
multiple interfaces.
As a result, multiple local routes were created for the same address and
marked as multipath. But changing their gateway to 127.0.0.1 would make
them similar and impossible to remove. This would leaves entries with a
stall ifa pointer as soon as the address was removed.
Prevent a panic reported by todd@
|
|
functionnality instead of a mix of enable/disable.
ok bluhm@, jca@
|
|
handle them. Also use M_NOWAIT for copying a multicast packet.
|
|
sesssion for multicast in proper way.
|
|
Without this, the packets larger than the minimum MTU on the routes to
the L2TP peer had been dropped.
|
|
wasn't freeed when the interface is destroyed. Free it properly.
ok dlg
|
|
OK blambert@ yasuoka@
|
|
|
|
pfsync_sendout. more specifically, move the reset of sc->sc_len to
PFSYNC_MINPKT above ip_output.
this prevents a situation where ipsec via ip_output calls
pfsync_update_tdb for syncing the ipsec flow to a peer, which
accounts for the tdb in the next pfsync packet, before unwinding
back to pfsync_output which resets the accounting we just did.
the next pfsync packet to be sent out will be allocated with a short
length because sc_len is wrong, and the long lists of things (eg,
the tdb) can overwrite memory after the mbuf. this manifests as
incorrect poisoning or xsimpleq entry corruption in mbufs still in
a pool, or random corruption of m->m_next on other mbufs in the
system.
bug found, fix tested, and ok stsp@
|
|
cannot create it.
Suggested by and ok claudio@
|
|
kill the macro.
ok mikeb@, henning@
|
|
|
|
as already done for lcp/ipcp/pap/chap
|
|
ok henning@, dlg@, mikeb@
|
|
ok henning@, phessler@
|
|
many years and wide spread demand for support never materialized.
time to pack it in.
|
|
parent that doesnt offload the tag insertion, we need to chop the
vlan subheader out before the filter is run, not after.
this moves the mbuf surgery out from the bpf layer into the vlan
layer.
ok henning@ jmatthew@
|
|
it does not need to be protected by splnet().
Rafael Zalamena agrees, no objection from the MPLS gang.
|
|
raise it inside their ioctl handler (except for carp(4), what else?).
In general, global structures manipulated in the softnet codepath only
require a splsoftnet() protection when they are modified in process
(ioctl) context.
Also put some IPL_SOFNET asserts in functions accessing global structures.
Previous version diff ok mikeb@, with inputs from and ok bluhm@
|
|
|
|
address should not be flagged with RTF_LLINFO.
With this fix, arp(8) will no longer report an incomplete entry for lo0.
ok claudio@
|
|
|
|
With KAME's hack of ``loopbacked host route'' we were checking if the
associated interface was a loopback. Now simply look for the correct
flags, which also helps reducing the number of ifp pointer derefences.
ok claudio@
|
|
all the per-interface lists of addresses.
Teaks and ok bluhm@, ok kspillner@, claudio@
|
|
rely on "struct route" that should die.
ok claudio@
|
|
get multiple processes in the kernel these sets cant race and allow people
to set the default greater than the max.
|
|
in it cos its only called on new systems, when it actually does.
we dont care about old or new systems, just ours. the code is called, the
fact that it exists is enough to demonstrate that.
|
|
we refcount the bpf_d memory correctly so it cant go away. possibly worse
is the bpf minor id could be reused between the kq calls, so this seems
safer to me. also avoids a list walk on each op cos the ptr is just there.
|
|
large cluster pools and MCLGETI.
we could chain mbufs if we want to go even bigger.
with a fix from Mathieu- <naabed at poolp dot org>
|
|
end up waiting until the ring is full cos the timeout doesnt get set up
when the knote is registered.
|
|
|
|
the failure path which leaks all the stuff the previous code in
bpf_movein allocates.
since it's only called from bpfwrite, use M_WAIT instead to make
it reliable and just get rid of the bogus failure code.
ok miod@
|
|
ok mpi@ henning@ krw@
|
|
related to disk stastics for almost 17 years, and the remaining
userland-visible defines duplicate those found in <sys/sched.h>.
Move the remaining _KERNEL defines to <sys/tty.h> where they belong, and
update all users to cope with this.
ok kettenis@
|
|
function pflog_bpfcopy() is setting up a packet description with
pf_setup_pdesc(). When pf_setup_pdesc() is droppig a bad packet,
it increments the the pf status counters. This way bad packets
could be accounted multiple times. Now pflog_bpfcopy() passes a
reason pointer NULL to indicate that no accounting should be done.
From Florian Riehm; OK henning@
|
|
ok miod@ mpi@
|
|
route priority.
While here document a RTM_ADD message is only send to userland for
local entries.
ok mikeb@, florian@
|
